Laravel development: How to implement API authentication using Laravel Sanctum?

With the popularity of RESTful APIs and the widespread use of applications, more and more applications require authentication and authorization of APIs, so API security has become an extremely important aspect in today's software development. Laravel Sanctum is a lightweight authentication system introduced out of the box with Laravel 7.0, which is designed to make API authentication simple and secure. In this article, we will introduce how to use Sanctum in Laravel to ensure API security.

1. Installing Laravel Sanctum

Before we begin, we need to confirm that Laravel 7.0 version has been installed. Then we can use composer to install Laravel Sanctum dependencies:

composer require laravel/sanctum

After installing Sanctum, add the following code to the config/app.php file:

'providers' => [
    // ...
    LaravelSanctumSanctumServiceProvider::class,
],

'aliases' => [
    //...
    'Sanctum' => LaravelSanctumSanctum::class,
]

In this way, Laravel The application already uses the services and functions provided by Sanctum.

2. Configuring the database

Next, before performing database migration, we need to set up Sanctum’s database tables. Larav lSanctum provides a personal_access_tokens database table by default that contains the following fields:

• id: The unique identifier of the token
• tokenable_type: The class name of the model associated with the token
• tokenable_id: The ID of the model associated with the token
• name: The name of the token
• token: The value of the API token
• abilities: The authorization of the token

Before creating the personal_access_tokens table, we need to create the model relationship first. This can be done by registering the following in AuthServiceProvider:

use LaravelSanctumSanctum;
//...

public function boot()
{
    $this->registerPolicies(); 

    Sanctum::ignoreMigrations();

    Sanctum::actingAs( null, [
        'superuser'
    ]);
}

Sanctum::ignoreMigrations() is used to prevent Laravel from running the artisan migrate command Execute Sanctum's database migration file. However, in most cases we just add it to the command of the database migration file. Sanctum::actingAs() Also provides a development-only method that impersonates the user without user authentication.

Then we need to run the following command to create the personal_access_tokens table:

php artisan migrate

3. Create API Token

Laravel Sanctum is We provide two ways to generate tokens for the API. One is the CreateToken method, which can create one or more API tokens with optional names and granted permissions. Here we introduce the second method, which is to use the hasApiTokens() function with the createToken() function:

// use the HasApiTokens trait within your User Model
use LaravelSanctumHasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;

    // ...
}

// create a Token with User ID and given Abilities
$personalAccessToken = $user->createToken('API Token', ['server:get','server:post']);

Here we use in the user model HasApiTokensTrait to implement API token functionality in the user model. We use the createToken method to create an API token and specify an optional name and authorized permission key when creating the token.

4. Securing API Routes

With the API key in hand, we can inject it into every request for authentication. We can use sanctum middleware in Laravel's routing file to protect the API route in order to verify the token in the request:

// A Group of API routes that require a valid Token
Route::group(['middleware' => 'auth:sanctum'], function () {
    Route::get('/user', function (Request $request) {
        return $request->user();
    });
});

In this code, we define a validation containing sanctumMiddleware routing group. A route group contains a route that only requires a valid Token to access.

5. Using Bearer Token

Using BearerToken is the best way to send an API token via the HTTP Authorization header Common methods. You can authorize the token by adding Authorization: Bearer {{$personalAccessToken->plainTextToken}} to the request header:

curl -H "Authorization: Bearer xxxxx" http://example.com/api/user

6. Revoke API token

Finally, we need to understand how to revoke API tokens. We can use the tokens()->delete() function to delete all API tokens for a user, or use the revoke() function to revoke a single API token:

$user->tokens()->delete();

$personalAccessToken->revoke();

Conclusion

Now we have successfully implemented Sanctum authentication to protect our API. Sanctum and Laravel provide simple yet powerful API authentication, which allows developers to focus on building powerful APIs and put the main focus on business logic. When using Sanctum, it is highly recommended that you carefully read the official documentation so that you can fully understand the API's authentication process and ensure the highest security for your application.

The above is the detailed content of Laravel development: How to implement API authentication using Laravel Sanctum?. For more information, please follow other related articles on the PHP Chinese website!